diff --git a/drivers/1fc7aeeff3ab19004d2e53eae8160ab1.bin b/drivers/1fc7aeeff3ab19004d2e53eae8160ab1.bin new file mode 100644 index 000000000..44d5c447b --- /dev/null +++ b/drivers/1fc7aeeff3ab19004d2e53eae8160ab1.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50 +size 742400 diff --git a/drivers/4118b86e490aed091b1a219dba45f332.bin b/drivers/4118b86e490aed091b1a219dba45f332.bin new file mode 100644 index 000000000..a0bbf77f3 --- /dev/null +++ b/drivers/4118b86e490aed091b1a219dba45f332.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873 +size 742400 diff --git a/drivers/4748696211bd56c2d93c21cab91e82a5.bin b/drivers/4748696211bd56c2d93c21cab91e82a5.bin new file mode 100644 index 000000000..8f4d21cda --- /dev/null +++ b/drivers/4748696211bd56c2d93c21cab91e82a5.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440 +size 742400 diff --git a/drivers/5a4fe297c7d42539303137b6d75b150d.bin b/drivers/5a4fe297c7d42539303137b6d75b150d.bin new file mode 100644 index 000000000..52620f4af --- /dev/null +++ b/drivers/5a4fe297c7d42539303137b6d75b150d.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40 +size 742400 diff --git a/drivers/6771b13a53b9c7449d4891e427735ea2.bin b/drivers/6771b13a53b9c7449d4891e427735ea2.bin new file mode 100644 index 000000000..90432b77a --- /dev/null +++ b/drivers/6771b13a53b9c7449d4891e427735ea2.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b +size 742400 diff --git a/drivers/a236e7d654cd932b7d11cb604629a2d0.bin b/drivers/a236e7d654cd932b7d11cb604629a2d0.bin new file mode 100644 index 000000000..170153b94 --- /dev/null +++ b/drivers/a236e7d654cd932b7d11cb604629a2d0.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830 +size 742400 diff --git a/drivers/a26363e7b02b13f2b8d697abb90cd5c3.bin b/drivers/a26363e7b02b13f2b8d697abb90cd5c3.bin new file mode 100644 index 000000000..3c6758a70 --- /dev/null +++ b/drivers/a26363e7b02b13f2b8d697abb90cd5c3.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327 +size 742400 diff --git a/drivers/a9df5964635ef8bd567ae487c3d214c4.bin b/drivers/a9df5964635ef8bd567ae487c3d214c4.bin new file mode 100644 index 000000000..f276ece25 --- /dev/null +++ b/drivers/a9df5964635ef8bd567ae487c3d214c4.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7 +size 742400 diff --git a/drivers/be6318413160e589080df02bb3ca6e6a.bin b/drivers/be6318413160e589080df02bb3ca6e6a.bin new file mode 100644 index 000000000..1eb97583d --- /dev/null +++ b/drivers/be6318413160e589080df02bb3ca6e6a.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4 +size 742400 diff --git a/drivers/c94f405c5929cfcccc8ad00b42c95083.bin b/drivers/c94f405c5929cfcccc8ad00b42c95083.bin new file mode 100644 index 000000000..7cc06f7a7 --- /dev/null +++ b/drivers/c94f405c5929cfcccc8ad00b42c95083.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee +size 742400 diff --git a/drivers/e29f6311ae87542b3d693c1f38e4e3ad.bin b/drivers/e29f6311ae87542b3d693c1f38e4e3ad.bin new file mode 100644 index 000000000..78af498f6 --- /dev/null +++ b/drivers/e29f6311ae87542b3d693c1f38e4e3ad.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6 +size 742400 diff --git a/drivers/e939448b28a4edc81f1f974cebf6e7d2.bin b/drivers/e939448b28a4edc81f1f974cebf6e7d2.bin new file mode 100644 index 000000000..79419344b --- /dev/null +++ b/drivers/e939448b28a4edc81f1f974cebf6e7d2.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a +size 742400 diff --git a/drivers/ef0e1725aaf0c6c972593f860531a2ea.bin b/drivers/ef0e1725aaf0c6c972593f860531a2ea.bin new file mode 100644 index 000000000..2978a6e69 --- /dev/null +++ b/drivers/ef0e1725aaf0c6c972593f860531a2ea.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f +size 739328 diff --git a/yaml/14556074-b235-4378-b356-f58721629d72.yaml b/yaml/14556074-b235-4378-b356-f58721629d72.yaml index 11c4a3b73..3bdd451e7 100644 --- a/yaml/14556074-b235-4378-b356-f58721629d72.yaml +++ b/yaml/14556074-b235-4378-b356-f58721629d72.yaml @@ -1881,99 +1881,99 @@ KnownVulnerableSamples: SHA1: 8b9dd4c001f17e7835fdaf0d87a2f3e026557e84 SHA256: 2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304 Sections: + .text: + Entropy: 6.097853212616491 + Virtual Size: '0x37f6' + .rdata: + Entropy: 4.063554093583363 + Virtual Size: '0x940' .data: Entropy: 1.4269125817182893 Virtual Size: '0x2b8' .pdata: Entropy: 3.9170697014365152 Virtual Size: '0x1f8' - .rdata: - Entropy: 4.063554093583363 - Virtual Size: '0x940' - .reloc: - Entropy: 2.8064493688417227 - Virtual Size: '0xa4' - .text: - Entropy: 6.097853212616491 - Virtual Size: '0x37f6' - INIT: - Entropy: 5.100311543493838 - Virtual Size: '0x5cc' PAGE: Entropy: 6.079756252073022 Virtual Size: '0x28b' + INIT: + Entropy: 5.100311543493838 + Virtual Size: '0x5cc' + .reloc: + Entropy: 2.8064493688417227 + Virtual Size: '0xa4' Signature: '' Signatures: - - Certificates: - - IsCertificateAuthority: true - SerialNumber: 0400000000012019c19066 + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA + ValidFrom: '2009-03-18 11:00:00' + ValidTo: '2028-01-28 12:00:00' Signature: 5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - Subject: OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA + IsCertificateAuthority: true + SerialNumber: 0400000000012019c19066 + Version: 3 TBS: MD5: 42023b9487cafe46c1b6a49c369a362e SHA1: 7c7b524d269334b9f073c32e888e09544c6acd98 SHA256: b7126567833f3daa4085ff41e73112daad3d1e3808a942c1936520e2d6c46c78 - ValidFrom: '2009-03-18 11:00:00' - ValidTo: '2028-01-28 12:00:00' - Version: 3 - - IsCertificateAuthority: true - SerialNumber: 0400000000012f4ee1355c + - Subject: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 + ValidFrom: '2011-04-13 10:00:00' + ValidTo: '2019-04-13 10:00:00' Signature: 225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24 SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - Subject: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 + IsCertificateAuthority: true + SerialNumber: 0400000000012f4ee1355c + Version: 3 TBS: MD5: f6a9e8eb8784f3f694b4e353c08a0ff5 SHA1: 589a7d4df869395601ba7538a65afae8c4616385 SHA256: cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4 - ValidFrom: '2011-04-13 10:00:00' - ValidTo: '2019-04-13 10:00:00' - Version: 3 - - IsCertificateAuthority: false - SerialNumber: 01000000000125b0b4cc01 + - Subject: C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority + ValidFrom: '2009-12-21 09:32:56' + ValidTo: '2020-12-22 09:32:56' Signature: bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9 SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - Subject: C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority + IsCertificateAuthority: false + SerialNumber: 01000000000125b0b4cc01 + Version: 3 TBS: MD5: e3369c8e5aec0504b3a50455f615d9f9 SHA1: 13c244a894b40ecd18aaf97c362f20385bd005a7 SHA256: 26da721a670c72836926032fee6920118bfb9bff89cc8d0ce30d9452c33f2532 - ValidFrom: '2009-12-21 09:32:56' - ValidTo: '2020-12-22 09:32:56' - Version: 3 - - IsCertificateAuthority: false - SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 + - Subject: C=FR, CN=Benjamin Delpy + ValidFrom: '2011-06-28 09:46:16' + ValidTo: '2014-06-28 09:46:16' Signature: 7fb3e0f79a942f494fd6e5cd42f04eea33420dc8c6285b79807d4e8cd45ec65fa9a5abcf516482827302f51cc924e484461c67d6b3338ebbaf39129dda0b6d617a25bad53f7ed4af3c934bed8d683091e72b93668d6623670d9cc6d8f4999e896ec6c707d5acaddcae899be3ae42945efbd9e60a36bfb49e6fef09179f02c5c49059c159c2ccaf2e9e171dcd0476dfbffbb7f3a4d59a36ef9e7931aaab9c9821527e6081c2a57ce78863caaf81cb50537956191320b48053552b3ee2bc64878ae903105a8a4d4a85bf235040d02215601143aa9a304eeb5058354f9195069ceb08cdf1f07ec0575b64b0d1840947df070c3c65571226da895da14ac6ae5bd3b8 SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - Subject: C=FR, CN=Benjamin Delpy + IsCertificateAuthority: false + SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 + Version: 3 TBS: MD5: ee0a53dda8301d1e78bd5487f1d49bf4 SHA1: 5538f8cd492c2ec8d581f3665d2b4217c86fa19a SHA256: a39725e610e1a556e7bdfad56f59d24a5278073378a5d9880e14395bbd808deb - ValidFrom: '2011-06-28 09:46:16' - ValidTo: '2014-06-28 09:46:16' - Version: 3 - - IsCertificateAuthority: true - SerialNumber: 610b7f6b000000000019 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Version: 3 TBS: MD5: 4798d55be7663a75649cda4dedc686ef SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 - ValidFrom: '2006-05-23 17:00:51' - ValidTo: '2016-05-23 17:10:51' - Version: 3 - CertificatesInfo: '' Signer: - - Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 - SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 + - SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 + Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 Version: 1 - SignerInfo: '' MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: - mimikatz.sys -Verified: 'TRUE' \ No newline at end of file +Verified: 'TRUE' diff --git a/yaml/2866bd72-a4b1-4764-a838-9ed0790c2631.yaml b/yaml/2866bd72-a4b1-4764-a838-9ed0790c2631.yaml new file mode 100644 index 000000000..96d05c834 --- /dev/null +++ b/yaml/2866bd72-a4b1-4764-a838-9ed0790c2631.yaml @@ -0,0 +1,219 @@ +Id: 2866bd72-a4b1-4764-a838-9ed0790c2631 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create a236e7d654cd932b7d11cb604629a2d0.sys binPath=C:\windows\temp\a236e7d654cd932b7d11cb604629a2d0.sys type=kernel + && sc.exe start a236e7d654cd932b7d11cb604629a2d0.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: a236e7d654cd932b7d11cb604629a2d0 + SHA1: bf2f8ada4e80aed4710993cedf4c5d32c95cd509 + SHA256: 497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: bfb9d2676665a9791c81ebfd08054d8d + SHA1: 85c2a04f6c165640758466eb5f73a5070bc127f2 + SHA256: d9d4e7d594b4b318ac78baa79f119e4c85493eec1c1f939ae10b1633346c6e9e + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880065856311981 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-29 16:52:18' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- a236e7d654cd932b7d11cb604629a2d0.sys diff --git a/yaml/2d6c1da6-17e2-4385-ad93-1430f83bde83.yaml b/yaml/2d6c1da6-17e2-4385-ad93-1430f83bde83.yaml new file mode 100644 index 000000000..fa5e30083 --- /dev/null +++ b/yaml/2d6c1da6-17e2-4385-ad93-1430f83bde83.yaml @@ -0,0 +1,219 @@ +Id: 2d6c1da6-17e2-4385-ad93-1430f83bde83 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create 4748696211bd56c2d93c21cab91e82a5.sys binPath=C:\windows\temp\4748696211bd56c2d93c21cab91e82a5.sys type=kernel + && sc.exe start 4748696211bd56c2d93c21cab91e82a5.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: 4748696211bd56c2d93c21cab91e82a5 + SHA1: d4cf9296271a9c5c40b0fa34f69b6125c2d14457 + SHA256: 888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 529310cd6840d1f3288e33acb9dd5096 + SHA1: 670f181a172ae68a675cf4c0ce52c0b6be0196e9 + SHA256: e6a53d4cf39b4b0b5069359d0a3b32eb1aa7b56c427487c9f838eb279c6a90d1 + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880053215052199 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-07-12 12:00:31' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- 4748696211bd56c2d93c21cab91e82a5.sys diff --git a/yaml/4f2edf45-b135-404f-bedc-9583f0bae574.yaml b/yaml/4f2edf45-b135-404f-bedc-9583f0bae574.yaml new file mode 100644 index 000000000..226b98a6d --- /dev/null +++ b/yaml/4f2edf45-b135-404f-bedc-9583f0bae574.yaml @@ -0,0 +1,219 @@ +Id: 4f2edf45-b135-404f-bedc-9583f0bae574 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create e939448b28a4edc81f1f974cebf6e7d2.sys binPath=C:\windows\temp\e939448b28a4edc81f1f974cebf6e7d2.sys type=kernel + && sc.exe start e939448b28a4edc81f1f974cebf6e7d2.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: e939448b28a4edc81f1f974cebf6e7d2 + SHA1: 552730553a1dea0290710465fb8189bdd0eaad42 + SHA256: 29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 59e07697795ff07f811cb2edec92ff4b + SHA1: 9b453e25fcefea6ced8d40b7995aedcd651e21b7 + SHA256: 5a7bde3c194e84070ff15718e58b6d9a79d5b11fb4f5754ecbae9f6fee1ca40f + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880058093889707 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-07-01 04:13:19' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- e939448b28a4edc81f1f974cebf6e7d2.sys diff --git a/yaml/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a.yaml b/yaml/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a.yaml new file mode 100644 index 000000000..8c9f83ac2 --- /dev/null +++ b/yaml/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a.yaml @@ -0,0 +1,219 @@ +Id: 75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create 5a4fe297c7d42539303137b6d75b150d.sys binPath=C:\windows\temp\5a4fe297c7d42539303137b6d75b150d.sys type=kernel + && sc.exe start 5a4fe297c7d42539303137b6d75b150d.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: 5a4fe297c7d42539303137b6d75b150d + SHA1: ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2 + SHA256: 9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: e5c54b958d6608cbb97e1a21c200dcd9 + SHA1: cc9b2ee8d9f3031eeab893e29231208eee30e494 + SHA256: 47bcbe0e7087cde7a9fb01fcec12b5ab185112c8f7f5638543715efa774b0cec + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.8800439180453505 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-29 19:57:11' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- 5a4fe297c7d42539303137b6d75b150d.sys diff --git a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml index 5f29c34c9..85a00bdb3 100644 --- a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml +++ b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml @@ -3429,9 +3429,9 @@ KnownVulnerableSamples: CA Version: 1 - Authentihash: - MD5: 4be47ca586cc6b4f4336bbf9b661cc76 - SHA1: 8fbc16f2212b74de4a4ff5efcb7026bc3f5952bc - SHA256: d7cc4ed41cc0ac5056e7d9435f850f7cc7021901c26e698e8f2056dbb53d3323 + MD5: 29014462dcf68528931c61b0ffac78dd + SHA1: cfa43f23960c77a0c47ce263aa23f6c3bb8a9215 + SHA256: 45448e988b82209da2900ea601b0bf7043903b36a6e731ed8abdb0170da4742e Company: Elaborate Bytes Copyright: Copyright (C) Elaborate Bytes 2000 CreationTimestamp: '2000-11-30 16:02:08' @@ -4203,9 +4203,9 @@ KnownVulnerableSamples: CA Version: 1 - Authentihash: - MD5: 0deadda87ba63ea29ce9c581ea9faa21 - SHA1: c7e53f82c59df11843f4d9201c6e897673204141 - SHA256: 01927b3cbbbc24763d9a932aaa164c6e81f9ae2e0f88bb7baea7c099044ddd5e + MD5: 79aecd03e37c756b96737abc3a8d8165 + SHA1: 88c6ed7a5ca62ed5519d6b0372f287a8b3d0bbbf + SHA256: 4a25fbb358e3989b7b896bd239979bcb0ed1930a7f7fe69c9583906f557c6a0f Company: Elaborate Bytes AG Copyright: Copyright (C) 2000 - 2002 Elaborate Bytes AG CreationTimestamp: '2002-11-29 04:38:16' @@ -4479,9 +4479,9 @@ KnownVulnerableSamples: CA Version: 1 - Authentihash: - MD5: f77fa8cff09efa7c3fec79d0593aba52 - SHA1: c1bf449ae19d7e75d6f889051005a848394b4b6d - SHA256: 37b561128161b34e140065ed771f3614fa9dd7b8c4bd90e49e8b39145c985000 + MD5: f37046cabc3b50a98377f280d15ad713 + SHA1: d5cbdb59b1394b4daed5c6ddab0acbc02d696adf + SHA256: 3a8a998ad0fe98295691d2cdcd4f4e5452876c38c9d2be0c2728ff1f0834efba Company: Elaborate Bytes Copyright: Copyright (C) Elaborate Bytes 2000 CreationTimestamp: '2001-03-27 07:38:46' diff --git a/yaml/8c2df58f-1e02-4911-ad40-3fa4ed1f4333.yaml b/yaml/8c2df58f-1e02-4911-ad40-3fa4ed1f4333.yaml new file mode 100644 index 000000000..907115237 --- /dev/null +++ b/yaml/8c2df58f-1e02-4911-ad40-3fa4ed1f4333.yaml @@ -0,0 +1,219 @@ +Id: 8c2df58f-1e02-4911-ad40-3fa4ed1f4333 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create ef0e1725aaf0c6c972593f860531a2ea.sys binPath=C:\windows\temp\ef0e1725aaf0c6c972593f860531a2ea.sys type=kernel + && sc.exe start ef0e1725aaf0c6c972593f860531a2ea.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: ef0e1725aaf0c6c972593f860531a2ea + SHA1: 6abc7979ba044f31884517827afb7b4bdaa0dcc1 + SHA256: f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: b2529d804593b6e7ced9f1d0ae2534a4 + SHA1: 859eabbf126c0f1c7895b45ec5629029a24ec059 + SHA256: 3fb37ecca8742677bd94ef6f6fb195b4baac701525c2140773a6475fa3aa633c + RichPEHeaderHash: + MD5: 50a091a32968ef3300f66b6b27458a45 + SHA1: 8d89bf1282a5af58cb3566accb77398fed0a2634 + SHA256: eb0f5406bd177f3dc8a2adcf37a88cc3881e703f32fa67ff8f9c6cf67b9558d3 + Sections: + .text: + Entropy: 6.215195579496279 + Virtual Size: '0xb98e' + .rdata: + Entropy: 5.123765459491577 + Virtual Size: '0xb8c' + .data: + Entropy: 7.879353247925244 + Virtual Size: '0xc7c90' + .pdata: + Entropy: 4.576491148346972 + Virtual Size: '0x510' + PAGE: + Entropy: 6.3192231164772075 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.343230388706494 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-23 19:41:15' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- ef0e1725aaf0c6c972593f860531a2ea.sys diff --git a/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml b/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml index ea166cbcc..4c3508426 100644 --- a/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml +++ b/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml @@ -2692,60 +2692,60 @@ KnownVulnerableSamples: SHA1: 118f688c30a2f6c2d1feb955f53ce4acf3086b3b SHA256: e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37 Sections: - .data: - Entropy: 0.6890836305716007 - Virtual Size: '0x9428' - .rdata: - Entropy: 4.565535020821956 - Virtual Size: '0x5f4' - .reloc: - Entropy: 6.678416291453968 - Virtual Size: '0x694' .text: Entropy: 6.340579412340497 Virtual Size: '0x5de8' + .rdata: + Entropy: 4.565535020821956 + Virtual Size: '0x5f4' + .data: + Entropy: 0.6890836305716007 + Virtual Size: '0x9428' INIT: Entropy: 5.674405086792681 Virtual Size: '0xb48' + .reloc: + Entropy: 6.678416291453968 + Virtual Size: '0x694' Signature: '' Signatures: - - Certificates: - - IsCertificateAuthority: false - SerialNumber: 33000000b5213fca1e4aa03de40000000000b5 + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2020-12-15 22:15:33' + ValidTo: '2021-12-02 22:15:33' Signature: 0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c SignatureAlgorithmOID: 1.2.840.113549.1.1.11 - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft - Windows Hardware Compatibility Publisher + IsCertificateAuthority: false + SerialNumber: 33000000b5213fca1e4aa03de40000000000b5 + Version: 3 TBS: MD5: a0dd89c33c4973bf6758331e200fb6de SHA1: 65ff7fa429c0f08f8a8bf30509e8ca2919d9edb5 SHA256: 29a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47 - ValidFrom: '2020-12-15 22:15:33' - ValidTo: '2021-12-02 22:15:33' - Version: 3 - - IsCertificateAuthority: true - SerialNumber: 610baac1000000000009 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + ValidFrom: '2012-04-18 23:48:38' + ValidTo: '2027-04-18 23:58:38' Signature: 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f SignatureAlgorithmOID: 1.2.840.113549.1.1.11 - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft - Windows Third Party Component CA 2012 + IsCertificateAuthority: true + SerialNumber: 610baac1000000000009 + Version: 3 TBS: MD5: a569061297e8e824767dbc3184a69bea SHA1: adbb26a587a8f44b4fccaecb306f980d1c55a150 SHA256: cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 - ValidFrom: '2012-04-18 23:48:38' - ValidTo: '2027-04-18 23:58:38' - Version: 3 - CertificatesInfo: '' Signer: - - Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + - SerialNumber: 33000000b5213fca1e4aa03de40000000000b5 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 - SerialNumber: 33000000b5213fca1e4aa03de40000000000b5 Version: 1 - SignerInfo: '' MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: - Netfilter.sys -Verified: 'TRUE' \ No newline at end of file +Verified: 'TRUE' diff --git a/yaml/a9ab4412-d484-459b-be97-5975f5ab8094.yaml b/yaml/a9ab4412-d484-459b-be97-5975f5ab8094.yaml new file mode 100644 index 000000000..ad52a0127 --- /dev/null +++ b/yaml/a9ab4412-d484-459b-be97-5975f5ab8094.yaml @@ -0,0 +1,219 @@ +Id: a9ab4412-d484-459b-be97-5975f5ab8094 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create be6318413160e589080df02bb3ca6e6a.sys binPath=C:\windows\temp\be6318413160e589080df02bb3ca6e6a.sys type=kernel + && sc.exe start be6318413160e589080df02bb3ca6e6a.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: be6318413160e589080df02bb3ca6e6a + SHA1: dd94a2436994ac35db91e0ec9438b95e438d38c5 + SHA256: bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 382d0c5c1e5821d578c7295441f8aa96 + SHA1: 3f9172bcd067412570c0704a74aca4e5242b7354 + SHA256: 4a367f9af0d4995eafb7bbdb4fa60eee88e470f7192276d3d66afc58f75013e1 + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880055977911046 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-30 05:57:00' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- be6318413160e589080df02bb3ca6e6a.sys diff --git a/yaml/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c.yaml b/yaml/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c.yaml new file mode 100644 index 000000000..ae503a625 --- /dev/null +++ b/yaml/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c.yaml @@ -0,0 +1,219 @@ +Id: aaf8ce1a-e11b-4929-96e0-5ec0666cef2c +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create 1fc7aeeff3ab19004d2e53eae8160ab1.sys binPath=C:\windows\temp\1fc7aeeff3ab19004d2e53eae8160ab1.sys type=kernel + && sc.exe start 1fc7aeeff3ab19004d2e53eae8160ab1.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: 1fc7aeeff3ab19004d2e53eae8160ab1 + SHA1: 08dd35dde6187af579a1210e00eadbcea29e66d2 + SHA256: 8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 91f2581c4f2fab49711c9221aaf3d726 + SHA1: e95809eda9fa380c8b7c8b056e443c419beae53f + SHA256: 43f88737fcdc8cd913ec2643c1841c87794f987e98b1432dd6220f769183467b + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.8800439180453505 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-30 01:34:36' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- 1fc7aeeff3ab19004d2e53eae8160ab1.sys diff --git a/yaml/ac62e709-4aa5-41f4-87b1-b811283d70d1.yaml b/yaml/ac62e709-4aa5-41f4-87b1-b811283d70d1.yaml new file mode 100644 index 000000000..65ffc4a59 --- /dev/null +++ b/yaml/ac62e709-4aa5-41f4-87b1-b811283d70d1.yaml @@ -0,0 +1,219 @@ +Id: ac62e709-4aa5-41f4-87b1-b811283d70d1 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create a9df5964635ef8bd567ae487c3d214c4.sys binPath=C:\windows\temp\a9df5964635ef8bd567ae487c3d214c4.sys type=kernel + && sc.exe start a9df5964635ef8bd567ae487c3d214c4.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: a9df5964635ef8bd567ae487c3d214c4 + SHA1: a14cd928c60495777629be283c1d5b8ebbab8c0d + SHA256: b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: c50f6bfea0edbca417ea91b00f40bff9 + SHA1: e1b6f524eee540932fe101577d7aa6cc77ebb592 + SHA256: 4e5cdf9d41843ecf7f9e252b706a0c5ca89ce288a4944ee70dd43fcc06965a8f + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880054968686145 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-28 19:49:38' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- a9df5964635ef8bd567ae487c3d214c4.sys diff --git a/yaml/b32d8d7d-0dc2-4d09-a306-8efc4caf1839.yaml b/yaml/b32d8d7d-0dc2-4d09-a306-8efc4caf1839.yaml new file mode 100644 index 000000000..2b72e7e7c --- /dev/null +++ b/yaml/b32d8d7d-0dc2-4d09-a306-8efc4caf1839.yaml @@ -0,0 +1,219 @@ +Id: b32d8d7d-0dc2-4d09-a306-8efc4caf1839 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create 4118b86e490aed091b1a219dba45f332.sys binPath=C:\windows\temp\4118b86e490aed091b1a219dba45f332.sys type=kernel + && sc.exe start 4118b86e490aed091b1a219dba45f332.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: 4118b86e490aed091b1a219dba45f332 + SHA1: 2929de0b5b5e1ba1cce1908e9d800aa21f448b3d + SHA256: 0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: fba17209a03798252e906344a3af3d8c + SHA1: e240bdbf276ae68a63edb05cfd12169ab779f99a + SHA256: d5b270ac8ca4f87ba51eafb3b28102875bdbdde0f15520ec0a629d8a898c0b2e + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880049291366828 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-07-02 03:04:12' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- 4118b86e490aed091b1a219dba45f332.sys diff --git a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml index 1f7eb0527..3a310c837 100644 --- a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml +++ b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml @@ -846,8 +846,8 @@ KnownVulnerableSamples: Version: 1 MitreID: T1068 Resources: -- 'https://github.com/jbaines-r7/dellicious' -- 'https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/' +- https://github.com/jbaines-r7/dellicious +- https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ Tags: - sandra.sys Verified: 'TRUE' diff --git a/yaml/c00f818c-1c90-4b47-bc29-fb949f6efb65.yaml b/yaml/c00f818c-1c90-4b47-bc29-fb949f6efb65.yaml new file mode 100644 index 000000000..bb55cb6dd --- /dev/null +++ b/yaml/c00f818c-1c90-4b47-bc29-fb949f6efb65.yaml @@ -0,0 +1,219 @@ +Id: c00f818c-1c90-4b47-bc29-fb949f6efb65 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create e29f6311ae87542b3d693c1f38e4e3ad.sys binPath=C:\windows\temp\e29f6311ae87542b3d693c1f38e4e3ad.sys type=kernel + && sc.exe start e29f6311ae87542b3d693c1f38e4e3ad.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: e29f6311ae87542b3d693c1f38e4e3ad + SHA1: 27371f45f42383029c3c2e6d64a22e35dc772a72 + SHA256: d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 20b5622a89defecbf5fc8aa084c4b43e + SHA1: 6e80c1b17905dca548dc5a3a8751f1b75159b916 + SHA256: 3db84cbf299307b1d3500b50355cf35f63d69c6c56d117335fbef7c84ddcc09b + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880061616520016 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-07-08 19:13:45' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- e29f6311ae87542b3d693c1f38e4e3ad.sys diff --git a/yaml/ddca6daf-4932-4e82-ad3c-d92d47632ea4.yaml b/yaml/ddca6daf-4932-4e82-ad3c-d92d47632ea4.yaml new file mode 100644 index 000000000..a00bc3df0 --- /dev/null +++ b/yaml/ddca6daf-4932-4e82-ad3c-d92d47632ea4.yaml @@ -0,0 +1,219 @@ +Id: ddca6daf-4932-4e82-ad3c-d92d47632ea4 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create 6771b13a53b9c7449d4891e427735ea2.sys binPath=C:\windows\temp\6771b13a53b9c7449d4891e427735ea2.sys type=kernel + && sc.exe start 6771b13a53b9c7449d4891e427735ea2.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: 6771b13a53b9c7449d4891e427735ea2 + SHA1: 98c4406fede34c3704afd8cf536ec20d93df9a10 + SHA256: a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 39eb5df6c886eddca1a5597097f209df + SHA1: 97faafa4a612b3e7b20e28df712bc7f700eaa840 + SHA256: b975bb2aeb265f1e943a9ca501fc76e2b4514e874ca449c0e59fb36bacf17159 + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880034750078154 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-07-10 21:46:19' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- 6771b13a53b9c7449d4891e427735ea2.sys diff --git a/yaml/ddefecdd-9410-46d9-8957-e23aac1aba0c.yaml b/yaml/ddefecdd-9410-46d9-8957-e23aac1aba0c.yaml new file mode 100644 index 000000000..224dd3368 --- /dev/null +++ b/yaml/ddefecdd-9410-46d9-8957-e23aac1aba0c.yaml @@ -0,0 +1,219 @@ +Id: ddefecdd-9410-46d9-8957-e23aac1aba0c +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create c94f405c5929cfcccc8ad00b42c95083.sys binPath=C:\windows\temp\c94f405c5929cfcccc8ad00b42c95083.sys type=kernel + && sc.exe start c94f405c5929cfcccc8ad00b42c95083.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: c94f405c5929cfcccc8ad00b42c95083 + SHA1: 03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7 + SHA256: da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 0895b0ede1999778543eed8b8ea48fda + SHA1: 6d7cbfc4e0bb441863e6a7b4c865e05948d6390d + SHA256: e42d8953f90e0b052adacd6c8e6cc240d723e5b4605ac897fe9667e661f9ed3c + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880069642714129 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-07-08 12:40:11' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- c94f405c5929cfcccc8ad00b42c95083.sys diff --git a/yaml/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558.yaml b/yaml/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558.yaml new file mode 100644 index 000000000..47a7f37b6 --- /dev/null +++ b/yaml/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558.yaml @@ -0,0 +1,219 @@ +Id: ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558 +Author: Alice Climent-Pommeret +Created: '2023-07-31' +MitreID: T1014 +Category: malicious +Verified: 'TRUE' +Commands: + Command: sc.exe create a26363e7b02b13f2b8d697abb90cd5c3.sys binPath=C:\windows\temp\a26363e7b02b13f2b8d697abb90cd5c3.sys type=kernel + && sc.exe start a26363e7b02b13f2b8d697abb90cd5c3.sys + Description: "Cisco Talos has identified multiple versions of an undocumented malicious\ + \ driver named \u201CRedDriver,\u201D a driver-based browser hijacker that uses\ + \ the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver\ + \ has been active since at least 2021. RedDriver utilizes HookSignTool to forge\ + \ its signature timestamp to bypass Windows driver-signing policies. Code from\ + \ multiple open-source tools has been used in the development of RedDriver's infection\ + \ chain, including HP-Socket and a custom implementation of ReflectiveLoader.\ + \ The authors of RedDriver appear to be skilled in driver development and have\ + \ deep knowledge of the Windows operating system. This threat appears to target\ + \ native Chinese speakers, as it searches for Chinese language browsers to hijack.\ + \ Additionally, the authors are likely Chinese speakers themselves." + Usecase: '' + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://blog.talosintelligence.com/undocumented-reddriver/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: a26363e7b02b13f2b8d697abb90cd5c3 + SHA1: 18693de1487c55e374b46a7728b5bf43300d4f69 + SHA256: 42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Authentihash: + MD5: 973487ded5a1e7b32d97de36ce4a45cc + SHA1: fe263450295cfa07653d2c9a6bc6f75324c9163b + SHA256: 4225bd4ba3f5d6d5cbd0606402aedca7342e2538abf85309ed3ccef0a738cbb8 + RichPEHeaderHash: + MD5: ecdd5c0e8a78b145a8e5d9443ff0f2eb + SHA1: 3ed3a76d965f1b5e387959ceedc84567a2f7bca4 + SHA256: 1edc4e310bd57e5c317b972f0bdb9f1f0794009b7039364dd6a879ee5f342754 + Sections: + .text: + Entropy: 6.2119592546505995 + Virtual Size: '0xc1ee' + .rdata: + Entropy: 5.110403242864534 + Virtual Size: '0xbac' + .data: + Entropy: 7.880059123812229 + Virtual Size: '0xa5490' + .pdata: + Entropy: 4.5968345164469415 + Virtual Size: '0x540' + PAGE: + Entropy: 6.308757256393646 + Virtual Size: '0x9b5' + INIT: + Entropy: 5.268683087271941 + Virtual Size: '0xa96' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-06-30 05:42:51' + InternalName: '' + Copyright: '' + Imports: + - ntoskrnl.exe + ExportedFunctions: '' + ImportedFunctions: + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoRegisterDriverReinitialization + - RtlInitUnicodeString + - IoDeleteDevice + - KeSetEvent + - KeInitializeEvent + - PsCreateSystemThread + - PsTerminateSystemThread + - ZwClose + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - PsThreadType + - IoIsWdmVersionAvailable + - IoCreateSymbolicLink + - IoCreateDevice + - ZwReadFile + - IoCreateFile + - ZwSetInformationFile + - ZwCreateFile + - ZwQueryDirectoryFile + - ZwDeleteFile + - ZwOpenFile + - RtlImageNtHeader + - ZwQueryInformationFile + - ZwWriteFile + - ZwSetValueKey + - ZwQueryValueKey + - _vsnprintf + - ZwFlushKey + - ZwDeleteKey + - ZwOpenKey + - _stricmp + - ZwCreateKey + - PsSetLoadImageNotifyRoutine + - PsGetProcessImageFileName + - PsLookupProcessByProcessId + - MmGetSystemRoutineAddress + - RtlGetVersion + - FsRtlIsNameInExpression + - wcsrchr + - PsRemoveLoadImageNotifyRoutine + - MmIsAddressValid + - ObfDereferenceObject + - KeUnstackDetachProcess + - ObOpenObjectByPointer + - KeStackAttachProcess + - ZwAllocateVirtualMemory + - KeClearEvent + - _wcsnicmp + - ObCreateObject + - IoFileObjectType + - IoDriverObjectType + - MmMapLockedPagesSpecifyCache + - IoGetCurrentProcess + - _vsnwprintf + - KeQueryTimeIncrement + - IoGetDeviceAttachmentBaseRef + - IoFreeIrp + - IoAllocateIrp + - RtlCompareUnicodeString + - CmRegisterCallback + - PsGetCurrentProcessId + - RtlCopyUnicodeString + - CmCallbackGetKeyObjectID + - ZwEnumerateKey + - strstr + - KeDelayExecutionThread + - ExSystemTimeToLocalTime + - RtlTimeToTimeFields + - RtlMultiByteToUnicodeN + - IoBuildDeviceIoControlRequest + - IoGetRelatedDeviceObject + - IoFreeMdl + - IoCancelIrp + - MmProbeAndLockPages + - IoAllocateMdl + - IofCallDriver + - ZwMapViewOfSection + - ExGetPreviousMode + - ZwQuerySystemInformation + - ZwUnmapViewOfSection + - ZwCreateSection + - ExFreePool + - KeBugCheckEx + - __C_specific_handler + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., + CN=Beijing JoinHope Image Technology Ltd. + ValidFrom: '2014-05-16 00:00:00' + ValidTo: '2015-05-16 23:59:59' + Signature: e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Version: 3 + TBS: + MD5: 4d213d99215f488050faaa39765656d1 + SHA1: 0308508b5a3fcd330bbf28931f8e1a9c93c3ee69 + SHA256: ea947432de238a25fdb7892e436f4ef44f30ab16ae9e1eb914860f4808b25ef2 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, + Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification + Authority , G5 + ValidFrom: '2011-02-22 19:25:17' + ValidTo: '2021-02-22 19:35:17' + Signature: 812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611993e400000000001c + Version: 3 + TBS: + MD5: 78a717e082dcc1cda3458d917e677d14 + SHA1: 4a872e0e51f9b304469cd1dedb496ee9b8b983a4 + SHA256: 317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8 + - Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use + at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + ValidFrom: '2010-02-08 00:00:00' + ValidTo: '2020-02-07 23:59:59' + Signature: 5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7 + Version: 3 + TBS: + MD5: b30c31a572b0409383ed3fbe17e56e81 + SHA1: 4843a82ed3b1f2bfbee9671960e1940c942f688d + SHA256: 03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9 + Signer: + - SerialNumber: 0a005d2e2bcd4137168217d8c727747c + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at + https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 + CA + Version: 1 +Tags: +- a26363e7b02b13f2b8d697abb90cd5c3.sys